[Freeipa-users] sudo 'run as' question

William Muriithi william.muriithi at gmail.com
Sun Feb 9 21:13:50 UTC 2014 

Afternoon,

I have an application that use the account image as service account. I can
su to the account 'image' and start or stop it fine.  No root privilege
needed. So I am not trying to set it up so that other developers can be
able to restart it through sudo and that's when I realized I am missing
something about sudo.

The problem is under "run as" usage. When I look at man page, it imply that
"run as" account don't need to be root. Quoting the man page.

Begin quote:
sudo allows a permitted user to execute a command as the superuser or
another user, as specified by the security policy. End quote:

On FreeIPA, I have a sudo rule called developers with necessary hostgroups
and usergroups. At the bottom is a section titled "AS WHOM" and that's
where I am having a problem. If I use root under RunAs Users section, it
works. If I substitute root with account image, I get the following error.

[william at dev18-yyz-int ~]$ sudo service imageserver stop
[sudo] password for william:
Sorry, user william is not allowed to execute '/sbin/service imageserver
stop' as root on dev18-yyz-int.jamar.loc.

[william at dev18-yyz-int ~]$ ls -al /etc/init.d/imageserver -rwxr-xr-x. 1
image image 1014 Jan 9 15:38 /etc/init.d/imageserver

[william at dev18-yyz-int ~]$ cat /etc/init.d/imageserver #! /bin/sh

start(){ echo "Starting imageserver.."

eval "runuser - image -c '/usr/local/bin/imageserver.sh &'" }

stop(){ echo "Stopping imageserver.." PIDNUMBER=`ps aux | grep imaginserver
| grep -v grep | awk '{print $2}'` echo $PIDNUMBER eval "runuser - image -c
'kill -9 $PIDNUMBER'" }

[william at dev18-yyz-int ~]$ ls -al /usr/local/bin/imageserver.sh -rwxr--r--.
1 image image 89 Jan 9 15:36 /usr/local/bin/imageserver.sh

[williamm at dev18-yyz-int ~]$ cat /usr/local/bin/imageserver.sh #!/bin/bash
cd /opt/jamar/application/imaginserver nohup ant run > /dev/null 2>&1 &

Is it possible to use sudo without first needing to go through root
momentary. I suspect this should be possible as sudo "run as" facility
wouldn't then make sense otherwise .

So, it would work as follows:

William -> image

Instead of:

William -> root -> image.

Appreciate any advice in advance

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140209/631463c1/attachment.htm>

More information about the Freeipa-users mailing list